US9053059B2ActiveUtilityA1

Roots-of-trust for measurement of virtual machines

80
Assignee: INTEL CORPPriority: Mar 6, 2013Filed: Mar 6, 2013Granted: Jun 9, 2015
Est. expiryMar 6, 2033(~6.7 yrs left)· nominal 20-yr term from priority
G06F 12/1408G06F 21/64G06F 9/455G06F 9/44505G06F 2009/45587G06F 9/45558G06F 21/57
80
PatentIndex Score
6
Cited by
15
References
17
Claims

Abstract

Embodiments of techniques and systems associated with roots-of-trust (RTMs) for measurement of virtual machines (VMs) are disclosed. In some embodiments, a computing platform may provide a virtual machine RTM (vRTM) in a first secure enclave of the computing platform. The computing platform may be configured to perform an integrity measurement of the first secure enclave. The computing platform may provide a virtual machine trusted platform module (vTPM), for a guest VM, outside the first secure enclave of the computing platform. The computing platform may initiate a chain of integrity measurements between the vRTM and a resource of the guest VM. Other embodiments may be described and/or claimed.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. An apparatus for computing, comprising:
 a processor; and 
 memory coupled with the processor, with instructions stored therein, wherein the instructions are configured to be operated by the processor to cause the apparatus to:
 provide a management virtual machine (MVM) in a first secure enclave of the apparatus; 
 provide a virtual machine trusted platform module (vTPM) for a guest virtual machine (VM) of the apparatus, the vTPM being provided in a second secure enclave of the apparatus different from the first secure enclave; 
 receive, at the vTPM, a command to change a value stored in a platform configuration register (PCR) of the vTPM; 
 receive, at the vTPM from the MVM through a secure channel, a modifier indicating that the command is allowed; 
 after receiving the modifier, change the value stored in the PCR; 
 provide a virtual machine root-of-trust for measurement (vRTM) in a third secure enclave of the apparatus, wherein the third secure enclave is different from the first and second secure enclaves; and 
 initiate, a chain of integrity measurements between the vRTM and a resource of the guest VM. 
 
 
     
     
       2. The apparatus of  claim 1 , wherein the modifier is representative of a lifecycle event of a VM associated with the PCR. 
     
     
       3. The apparatus of  claim 1 , wherein the command to change the value stored in the PCR is a command to extend the value stored in a PCR with a cryptographic hash of an integrity measurement of a VM resource associated with the PCR. 
     
     
       4. The apparatus of  claim 1 , wherein the MVM includes a virtual machine root-of-trust for measurement (vRTM). 
     
     
       5. One or more non-transitory machine readable media comprising instructions that, in response to execution by a processing device of a computing platform, cause the computing platform to:
 provide to the computing platform, a virtual machine root-of-trust for measurement (vRTM) in a first secure enclave of the computing platform, wherein the computing platform is configured to perform an integrity measurement of the first secure enclave; 
 provide, to the computing platform, a virtual machine trusted platform module (vTPM), for a guest virtual machine (VM), in a second secure enclave different from the first secure enclave; and 
 initiate, on the computing platform, a chain of integrity measurements between the vRTM and a resource of the guest VM, wherein the chain of integrity measurements includes one or more integrity measurements of the vTPM. 
 
     
     
       6. The one or more storage media of  claim 5 , wherein the first secure enclave comprises a region of memory of the computing platform, the region of memory not accessible via executed instructions located outside the region of memory. 
     
     
       7. The one or more storage media of  claim 5 , wherein the computing platform is further caused to:
 store, in the vTPM, an integrity measurement of the chain of integrity measurements between the vRTM and the resource of the guest VM. 
 
     
     
       8. The one or more storage media of  claim 5 , wherein the guest VM is outside the second secure enclave. 
     
     
       9. The one or more storage media of  claim 5 , wherein the chain of integrity measurements comprises an integrity measurement of the vTPM. 
     
     
       10. The one or more storage media of  claim 9 , wherein the chain of integrity measurements comprises an integrity measurement of a support VM that provides a service to the guest VM. 
     
     
       11. The one or more storage media of  claim 5 , wherein configured to perform an integrity measurement of the first secure enclave comprises having microcode associated with the first secure enclave configured to perform the integrity measurement of the first secure enclave and store the integrity measurement of the first secure enclave in a hardware register. 
     
     
       12. The one or more storage media of  claim 5 , wherein the vTPM is a first vTPM and the guest VM is a first guest VM, wherein the computing platform is further caused to:
 provide to the computing platform, a second vTPM for a second guest VM; and 
 initiate on the computing platform, a chain of integrity measurements between the vRTM and a resource of the second guest VM. 
 
     
     
       13. One or more non-transitory machine readable media comprising instructions that, in response to execution by a processing device of a first computing platform, cause the first computing platform to:
 transmit a command to a processing device of a second computing platform to report an integrity measurement of a secure enclave of the second computing platform, wherein the secure enclave contains a virtual machine root-of-trust for measurement (vRTM) configured as a root-of-trust for measurement for a chain of integrity measurements between the vRTM and a resource of a guest virtual machine (VM) disposed outside the secure enclave, wherein the chain of integrity measurements includes one or more integrity measurements of a virtual machine trusted platform module (vTPM), for the guest virtual machine (VM); 
 receive, from the second computing platform, an integrity measurement of the secure enclave; 
 compare the integrity measurement of the secure enclave to an expected value; and 
 communicate with the resource of the quest VM, in response to a result of the comparison that indicates the integrity measurement of the secure enclave matches the expected value. 
 
     
     
       14. The one or more storage media of  claim 13 , wherein the expected value is based on an expected set of machine-readable code defining the vRTM. 
     
     
       15. The one or more storage media of  claim 13 , wherein the integrity measurement of the secure enclave is signed with a key associated with the computing platform. 
     
     
       16. A method for initiating a chain of integrity measurements on a computing platform, comprising:
 providing, to the computing platform, a virtual machine root-of-trust for measurement (vRTM) in a first secure enclave of the computing platform, wherein the computing platform is configured to perform an integrity measurement of the first secure enclave; 
 providing, to the computing platform, a virtual machine trusted platform module (vTPM), for a guest virtual machine (VM), in a second secure enclave different from the first secure enclave; and 
 initiating, on the computing platform, a chain of integrity measurements between the vRTM and a resource of the guest VM, wherein the chain of integrity measurements includes one or more integrity measurements of the vTPM. 
 
     
     
       17. The method of  claim 16 , further comprising:
 storing, in the vTPM, an integrity measurement of the chain of integrity measurements between the vRTM and the resource of the guest VM.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.